Aris Telecom Security Advisory
==============================
19/02/2002


Title:
======

    Outlook Web Access view include files vulnerability


System Afected:
==============

    Outlook Web Access 5.5 SP4 and others versions is possible


Description:
===========

    The Outlook Web Access (OWA), possess an error that any user of Internet allows 
    to visualize all the archives of the directory /lib. These archives are stored 
    with extension INC, that to the being requested for browser it will show to all 
    programming asp contained in the archive: 

    www.server.com/exchange/lib/logon.inc


    other archives that can be visualized are:

    exchange/lib/AMPROPS.INC
    exchange/lib/ATTACH.INC
    exchange/lib/DELETE.INC
    exchange/lib/GETREND.INC
    exchange/lib/GETWHEN.INC
    exchange/lib/JSATTACH.INC
    exchange/lib/JSROOT.INC
    exchange/lib/JSUTIL.INC
    exchange/lib/LANG.INC
    exchange/lib/PAGEUTIL.INC
    exchange/lib/PUBFLD.INC
    exchange/lib/RENDER.INC
    exchange/lib/SESSION.INC
    exchange/lib/STORE.INC


Solution:
========

    Microsoft have been informed.


Acknowledgements:
================

    The bug has been discovered by Marcos A. Ferreira Jr.
    contacts: marcos@aristelecom.com.br

    English version:
    http://www.aristelecom.com.br/adv/owa-advisory-en.txt

    Portuguese version:
    http://www.aristelecom.com.br/adv/owa-advisory-pt.txt


Contact Information:
===================

    The Aris Telecom can be reached by mailing: aristelecom@aristelecom.com.br
    Our web page is at https://www.aristelecom.com.br